Make WordPress Core

Changeset 51424


Ignore:
Timestamp:
07/13/2021 06:03:16 PM (3 years ago)
Author:
desrosj
Message:

Widgets: Validate HTML before saving block widgets.

Props talldanwp, noisysocks, kevin940726, peterwilsoncc.
Merges [51414] and [51423] to the 5.8 branch.

Location:
branches/5.8
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/5.8

  • branches/5.8/src/wp-includes/class-wp-customize-widgets.php

    r51232 r51424  
    14201420            $widget_object = $wp_widget_factory->get_widget_object( $id_base );
    14211421            if ( ! empty( $widget_object->widget_options['show_instance_in_rest'] ) ) {
     1422                if ( 'block' === $id_base && ! current_user_can( 'unfiltered_html' ) ) {
     1423                    /*
     1424                     * The content of the 'block' widget is not filtered on the
     1425                     * fly while editing. Filter the content here to prevent
     1426                     * vulnerabilities.
     1427                     */
     1428                    $value['raw_instance']['content'] = wp_kses_post( $value['raw_instance']['content'] );
     1429                }
     1430
    14221431                return $value['raw_instance'];
    14231432            }
  • branches/5.8/src/wp-includes/widgets/class-wp-widget-block.php

    r51249 r51424  
    179179     */
    180180    public function update( $new_instance, $old_instance ) {
    181         $instance            = array_merge( $this->default_instance, $old_instance );
    182         $instance['content'] = $new_instance['content'];
     181        $instance = array_merge( $this->default_instance, $old_instance );
     182
     183        if ( current_user_can( 'unfiltered_html' ) ) {
     184            $instance['content'] = $new_instance['content'];
     185        } else {
     186            $instance['content'] = wp_kses_post( $new_instance['content'] );
     187        }
    183188
    184189        return $instance;
Note: See TracChangeset for help on using the changeset viewer.